A rootkit is a malicious piece of software designed to give a user “root,” or administrative access to a computer by installing a backdoor into the operating system running on the computer. There are two basic kinds of rootkits, kernel level and user level. Known user level rootkits may be detected by an anti-virus program capable of scanning user level memory.
Kernel level rootkits reside in the kernel level space and are capable of actively hiding themselves from other pieces of software. For example, many rootkits install a program that runs as the administrator and listens on a TCP socket for commands from a remote user. Those commands are run as the administrator, and so are allowed to perform any operation on the machine. When a malicious process is running at a user level, the malicious process may be detected by finding the process running in the process list, by finding the malicious process listening on a strange socket, or by detecting the malicious process using a signature file included with an anti-virus product. A kernel level rootkit is capable of hiding the malicious process from these methods of detection.
In addition to running the malicious process in the user space, the rootkit may also install software that runs in the kernel. When a user process requests the process list, the kernel level software removes references to the malicious process before returning the process list to the user level. Likewise, when a process asks for a list of open TCP sockets the kernel level software removes the reference to the socket to which the malicious process is listening. Furthermore, if an antivirus product opens the user level process's executable file to scan it, the kernel level software could redirect the file open to another non-malicious file. In this manner the software running in the kernel could hide the malicious process from detection.
Kernel-level Rootkits have not historically been a popular exploit. This may be changing as antivirus programs are becoming more ubiquitous as kernel level rootkits can evade detection by antivirus programs. Furthermore, trends in malicious activity are changing to activities that are profitable. Rootkits can allow the use of a company's internal machine to perform activities for the malicious user's profit, such as gaining access to confidential information or transferring money between accounts.